New intrusion-detection systems that go beyond monitoring attacks to actually blocking them have network executives intrigued, but some worry that the devices could quash legitimate traffic, cause network latency and present a single point of failure.

Unlike traditional IDS products that stay out of the way of network traffic, passively monitoring the traffic going by and leaving the blocking of attacks to routers or firewalls, these new "intrusion-prevention" systems inspect traffic directly as it makes its way from outside a corporate LAN to end users' desktops.

The latest vendors to air plans for such intrusion-prevention appliances are Top Layer Networks and Sourcefire. Top Layer, which already makes a variety of network security devices, next week plans to announce appliances focused on HTTP Port 80 attacks, computer worms and other signature attacks it says companies will not hesitate to block. Separately, Sourcefire Founder and CTO Martin Roesch - who has commercialized the Snort intrusion-detection freeware he developed - divulged that the company is readying an intrusion-prevention device for early next year. These companies follow others such as Internet Security Systems (ISS), IntruVert, NetScreen Technologies and TippingPoint Technologies into the market.

For organizations seeing no slowdown in attacks, it may be hard to pass up new offerings despite reservations being expressed.

"Passive monitoring just wasn't accomplishing anything," says Stephen Olsen, IT director at The Las Vegas Review Journal, which has used the NetScreen IDP-100 to guard its multimegabit Internet access connection. But the Review is using the product to block only a modest portion of known attacks because of concern about dropping legitimate traffic for the Web sites the publication manages.

With the FBI's help, the Review is chasing down and prosecuting a hacker who had attacked the publication via the Internet. The IDP-100-generated report helped provide evidence about the hacker's activity, although the strongest evidence probably came from packets originating from the hacker's IP address that weren't blocked as opposed to those that were, Olsen says.

Such issues will come to the forefront as more companies try intrusion prevention.